What would you do if you're being targeted by hackers ?

I was discussing this with someone the other day. Viruses/spyware/rootkits etc are sent out by hackers in an attempt to infiltrate PCs (anyones PC).

Eventually, security companies (ie Mcafee, Norton) spot them in the wild and come up with signatures for them to add to their databases.

But what if you are the target of some malicious group of hackers who use virus/spyware kits to create a custom virus/rootkit/etc that is only distributed to you or a low volume of people?

Antivirus/Antispyware would not be able to protect you due to there being no signature for the virus/rootkit/etc (the virus/rootkit/etc would probably remain off the antivirus companies radar because of its low distribution).

Opinions ? Solutions ?

That's where i keep a leg up on them.

My IP and range is easily changed due to my custom technique where they might try to record it to target me but they'll never find me.

Online targetters go after addresses they can rely on that never change.

And i do all this without a proxy.

They have no way to target you if your direct line can double also as a ghost. ;D

Key is stay one step ahead of them at all times and make it easy on yourself and machine.

-{ Quote: "Key is stay one step ahead of them at all times and make it easy on yourself and machine." }-
What if they target a persons email address without the person knowing it ?
Antivirus/antispyware software would be useless in stopping anything malicious as there would be no signature created yet.

Other than the obvious (deleting questionable email), what protective measures could be taken to best stop this particular approach ?

(... great idea on constantly shifting the range. :thumb: )

Hello,
When you're personally targeted - or just general Internet noise?
Answer 1) use firewall 2) do not click on ******** and infect yourself.
Mrk

-{ Quote: "What if they target a persons email address without the person knowing it ?
Antivirus/antispyware software would be useless in stopping anything malicious as there would be no signature created yet.

Other than the obvious (deleting questionable email), what protective measures could be taken to best stop this particular approach ?" }-Since you state the obvious, there should be nothing more to discuss, for if one violates basic security policies about email, well, what else is there to say?

But a related situation deserves mention: the non-questionable email, that is, if the email does seem legitimate. Several exploits using MSWord documents have targeted companies in the past, where the company email list was compromised. The email with the MSWord document attachment had as its subject a topic relevant to the company's business. These types of communication were not uncommon. In this case, however, opening the MSWord document resulted in infection by a trojan file embedded in the document.

Are there protective measures that can prevent this exploit?

Recently, I learned of a person who was targeted in this way some time ago. He checked his email from his laptop while away from his office, opened the MSWord document and immediately received a Software Restriction Policy (SRP) alert.

Here is what a SRP alert looks like. This was sent to me by someone else while doing a test:

http://www.wilderssecurity.com/attachment.php?attachmentid=201068&d

http://www.wilderssecurity.com/attachment.php?attachmentid=201069&d
__________________________________________________________________________________

I've been impressed in recent months by examples of how SRP can protect against all types of remote code execution exploits. It requires no additional software, because it is built into XP PRO. (I'm not sure about VISTA).

The sad part of this incident, I learned, is that the company computers were not locked down like this and the malware was not detected by their AV, resulting in many computers becoming infected.

There are other ways that a user can be fooled into thinking that received electronic communication is OK, as in
communication from a known person's compromised email, social networking profile, and other messaging formats.

There are other ways besides MSWord, of course, to sneak in a trojan.

And there are many other protective methods to prevent such exploits. You can argue that the simplest protection is to just avoid running as Adminstrator!

The person in this example likes SRP because of it's potential to set many other policies; it also happens to be an effective in-house way of taking care of these worst-case scenario situations.



----
rich


REFERENCES

Unpatched Word Vulnerability
http://isc.sans.org/diary.html?storyid=4696

Targeted attack: experience from the trenches
http://isc.sans.org/diary.html?storyid=1345

Microsoft Office Security, part one
Sample mechanism of an attack
http://www.securityfocus.com/infocus/1874

SRP is available in Vista Business/Ultimate/Enterprise Editions.

As far as I know, there is nothing like pcwGPinst (http://www.wilderssecurity.com/showthread.php?t=200772) for Vista Home editions.

-{ Quote: "But what if you are the target of some malicious group of hackers who use virus/spyware kits to create a custom virus/rootkit/etc that is only distributed to you or a low volume of people?" }-
Someone would have to want you pretty bad to resort to creating malware just for you. Even if this is true, a rootkit, trojan, keylogger, etc is either its own process or uses an installer of some form, which is also a process. Any of the security measures that prevent an unknown process from executing will be effective. Even then, you would still have to launch it, or have your system configured so insecurely that it's allowed to launch an unknown process.

The other possible scenario would be to use an unpatched exploit in a user application to launch the code. Using such an exploit on a single individual would be an incredible waste from a crackers point of view. Such exploits sell for big money and are first used against high value targets. Their value is short lived. Even then,as Rmus mentioned, software restriction policies are very effective here. A default-deny security policy that isolates attack surfaces is also effective.

Regardless of the method used, for an attack to successfully compromise your PC, a process that's unknown to your system will have to run. It may be disguised as something else but anything that checks a signature such as an MD5 will detect that. Any decent security app that controls processes will notice that.

Is this a theoretical question, something that has/is happening, or someones threat to do this?

-{ Quote: "What if they target a persons email address without the person knowing it ?
Antivirus/antispyware software would be useless in stopping anything malicious as there would be no signature created yet.

Other than the obvious (deleting questionable email), what protective measures could be taken to best stop this particular approach ?

(... great idea on constantly shifting the range. :thumb: )" }-

Simple.

Use only internet email. That's what i do, forget Outlook.

Theres plenty of programs to read all your internet mail accounts and they are much easier scanned IMO then something slipping through Windows tethered way.

EASTER

-{ Quote: " Is this a theoretical question, something that has/is happening, or someones threat to do this?" }- The scenario is a theoretical one which, as Rmus pointed out, has happened in the corporate world. The point was to brainstorm ideas to close the vulnerabilities that exist given the situation. Adding some of these solutions to your defenses (ie. Software Restriction Policy as mentioned) can't hurt. If anything, it'll help anyone who finds themselves in this situation.

In environments other than your personal PC, most of the solutions have controlling user actions at their core, because most of the methods involve getting a user to make a bad decision. In many work and corporate environments, the users have too many administrative abilities. Any security policy that takes administrative abilities away from a user reduces the chances of their compromising the system. I use older operating systems which don't have user controls built in that are very effective. On these, classic HIPS and standard firewalls with passwords can perform the same functions with equal effectiveness, maybe even more.

Educating users only goes so far. There are just too many ways to deceive a user who isn't computer savvy. Example, how do you educate a user to know the difference between a real AV or system alert from a fake one? In a corporate environment, how does a user know a safe document from an unsafe one when it comes from what appears to be another department or desk?

IMO, the best solution is a much more defined line between users and administrators, one that prevents the user from doing any installing, updating, etc. One that requires the administrator or IT department to whitelist the user applications and their interactions. When the user doesn't have the ability to make a bad decision, they're no longer a problem. This is not too much to ask of the IT department. It's their job to know the software needs of their employer.

What you describe is certainly the best solution. I've suggested such in discussions in another place, and IT and system administrators counter that if you restrict company personnel, you have unhappy employees.

But company policies should have never permitted employees in the first place to use the company computer as if it were their personal computer.

At least one organization -- a police department -- finally said, Enough is enough.

http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf
-{ Quote: "“We currently have a policy that prohibits unauthorized installation of non-Department sanctioned/
owned software on any Department computer,” said Mr. Riley.
" }-
The above MSWord exploit I mentioned above would not run in this environment. This takes care of situations where the user can be fooled into opening documents with embedded malware.

Some educational institutions I've worked at have a similar setup, where Deep Freeze restores the computer lab systems to previous good state at each reboot.

There is much technology available besides what this White Paper listed -- it takes a company CEO to be strong enough to require IT to use it.


----
rich

-{ Quote: "IT and system administrators counter that if you restrict company personnel, you have unhappy employees." }-
I'd bet the company itself doesn't like paying employees to play on the web. A system administrator that makes such a claim is trying to protect his/her own free time, which should be spent doing the job they're being paid to do.
At a previous job, the company policies prohibited employees from using the shop computers for personal use, but had no mechanisms in place to enforce it. A reasonably knowlegdable user could gain access to most anything on any of their networks. I could install software to any PC, change network settings, browse anywhere, even access the machine assembly programs. On several occasions, some user opened some infected attachment in the personal e-mail and took out entire networks for days. These users supposedly knew better but it wasn't their PCs and networks they were risking. Educating users is one thing. Making them care about what they do on equipment that isn't theirs is a whole different problem. Out of the PCs I've cleaned, the worst problems were caused by these users. The only way I know to prevent it is to take the ability to cause a problem away from them.

-{ Quote: "I'd bet the company itself doesn't like paying employees to play on the web. A system administrator that makes such a claim is trying to protect his/her own free time, which should be spent doing the job they're being paid to do.
At a previous job, the company policies prohibited employees from using the shop computers for personal use, but had no mechanisms in place to enforce it. A reasonably knowlegdable user could gain access to most anything on any of their networks. I could install software to any PC, change network settings, browse anywhere, even access the machine assembly programs. On several occasions, some user opened some infected attachment in the personal e-mail and took out entire networks for days. These users supposedly knew better but it wasn't their PCs and networks they were risking. Educating users is one thing. Making them care about what they do on equipment that isn't theirs is a whole different problem. Out of the PCs I've cleaned, the worst problems were caused by these users. The only way I know to prevent it is to take the ability to cause a problem away from them." }-

Why not use Deep Freeze or some other instant restoration software on these computers? I think that's the argument of the LAPD in the pdf referenced above in the post from Rmus. After reboot, you wouldn't have any cleaning to do!

That "case study" looks more like advertizing than anything else. Why not enforce the "not for personal use" policy to begin with? If the user can't alter the system, there's no need software that restores it on reboot, frozen snapshots, or anything similar, save a normal system backup. Both software restriction policies and well configured application firewalls (HIPS) are very capable of preventing the user or malware from altering the system while still allowing the system administrator to update or modify it as they see fit. It's not that difficult to set up a PC that the user can't alter, which is what should be done in all non-residential environments. Even in the home environment, it's a good idea, assuming that the PC serves more purposes than just a playtoy.

-{ Quote: "That "case study" looks more like advertizing than anything else. Why not enforce the "not for personal use" policy to begin with? If the user can't alter the system, there's no need software that restores it on reboot, frozen snapshots, or anything similar, save a normal system backup. Both software restriction policies and well configured application firewalls (HIPS) are very capable of preventing the user or malware from altering the system while still allowing the system administrator to update or modify it as they see fit. It's not that difficult to set up a PC that the user can't alter, which is what should be done in all non-residential environments. Even in the home environment, it's a good idea, assuming that the PC serves more purposes than just a playtoy." }-

It's not like this is new. People used to have to argue about using the telephone at work for personal use. Some people abused it and I remember a period in the 80's and 90's (when long distance was expensive) that they could no longer rely on "enforcing policy" only. They added pin-codes to access long distance - sometimes the telephone for outbound use at all. In other words, they used technology. Today - it's computers. If you want to deal with whatever mess some disgruntled employee might leave, or whatever, then don't use anything like Deep Freeze. I think the day will come when any IT department not using instant restore technology will be considered negligent.

With the tools that are built in or freely available, if an IT department can't lock down their PCs well enough to prevent personal usage or employee tampering, they're incompetent, lazy, or both. Something like Deep Freeze wouldn't be necessary unless you're allowing personal usage to start with. If not being able to play on the web while on paid time makes employees unhappy, too bad.

This is going way off the original topic. The only way this applies to -{ Quote: "What would you do if you're being targeted by hackers ?" }- is if "you" are a business, workplace, etc, and you're being targeted by someone from within.

-{ Quote: "But what if you are the target of some malicious group of hackers who use virus/spyware kits to create a custom virus/rootkit/etc that is only distributed to you or a low volume of people?" }-This is not the only problem, the main problem is this thing that tracks everything and acts as sort of artificial intelligence. I doubt that anyone can escape this mechanism actually except you would tunnel their tunnel and disable their virus but that would require a clean motherboard and a clean OS, not easy to find nowadays, except you would create it yourself. Ethernet plays a key role for their stealth activities and what about the ISP? Can you trust the line? Proxies are no solution because they manage to smuggle their requests in most cases. Firewalls won´t help they are easily bypassed through http tunneling. Only with permanent SSL there might be a chance to evade the control system.

-{ Quote: "Why not use Deep Freeze or some other instant restoration software on these computers?" }-
Simple answer: That would require that your computer system is 100% clean, if this manchurian chip exists we must think about a by default hardware compromise and a by default software compromise for commercial os of all todays computer systems. Those freezes could not prevent anything that is built in on motherboards by default. IMHO we have a kind of secret service war between USA/Russia (software controller) and China/Taiwan (hardware controller).

-{ Quote: "All computers on the market today — be they Dell, Toshiba, Sony, Apple or especially IBM — are assembled with components manufactured inside the PRC. Each component produced by the Chinese, according to a reliable source within the intelligence community, is secretly equipped with a hidden microchip that can be activated any time by China’s military intelligence services, the PLA." }-
The evil is there already from the scratch. Wake up, this world is perverted. These little nasties built-up by wannabe hackers from av industry and script kiddies are not the real problem at least not for those who are on this board already for a long time.

Oh great.

Now national security becomes a real problem for many nations depending on who manufactures the minature chip hardware and/or software setting the stage for a real possibility of the doomsday decision.

Can you image that all of any nation's active defense Nuclear Silo buried ICBM's were given a secret remote signal from an orbiting satellite secretly coded to trajectory up, around, then straight back down into the nation that depended on it to follow it's designed defense course?

Can this scenario be so far fetched or off from exaggeration simply because they're/we're to believe that there are solid safeguards in place to prevent such a mishap?

Definitely food for thought i think.

How would you prevent malicious updates via PXE ROMs network funcionality?

Two answers:

1) Frankie Goes to Hollywood - Relax

2) Rockwell - Somebody's watching me

Mrk

1. Relaxation is not frustration or anger, neither peace or tranquility, not heavy or light, nor is it the center or empty. If this is true than what is relaxation?

2.The Coasters - Why is somebody pickin on me.

I like the idea of expansion ROM and PXE ROM because you don't have to install any malware to remain persistent.

-{ Quote: "Ethernet plays a key role for their stealth" }-
Are you saying that some group is secretly installing picotux at the factory level kinda like the Folgers coffee switch?

-{ Quote: "... IMHO we have a kind of secret service war between USA/Russia (software controller) and China/Taiwan (hardware controller).
The evil is there already from the scratch. Wake up, this world is perverted. These little nasties built-up by wannabe hackers from av industry and script kiddies are not the real problem at least not for those who are on this board already for a long time." }-
-{ Quote: "This is going way off the original topic. " }-
I'll say it has. :o

Anyway, although still off topic, I found this old white paper on corporate security which describes a similar scenario (bottom of page 6) to the one I originally posted.

http://www.gfi.com/whitepapers/network-protection-against-trojans.pdf

From the paper, a targeted email:

-{ Quote: "You check your mail, see that Alex has sent you an attachment containing a joke, and run it without even thinking that it might be a malicious "because, hey, Alex wouldn't do something like that, he's my friend!" ... if you are not running email security software that can detect certain exploits, then attachments could even run automatically, meaning that a hacker can infect a system by simply sending you the trojan as an attachment, without any intervention on a user's part." }-In a home environment, this is easily prevented, one way being SRP as I showed in Post #5.

However, in a corporate setting, as this paper addresses, it is more problematical. I spoke yesterday with a System Administrator in a large company about some of these issues and current exploits, and he stated that it just wouldn't be practical to restrict the workstations in that way, or even to use a product like Deep Freeze.

The paper concludes that the solution is:

-{ Quote: "To effectively protect your network against trojans, you must follow a multi-level security strategy:" }-And there follows a list on p. 7.


----
rich

-{ Quote: "From the paper, a targeted email:

In a home environment, this is easily prevented, one way being SRP as I showed in Post #5.

However, in a corporate setting, as this paper addresses, it is more problematical. I spoke yesterday with a System Administrator in a large company about some of these issues and current exploits, and he stated that it just wouldn't be practical to restrict the workstations in that way, or even to use a product like Deep Freeze.

The paper concludes that the solution is:

And there follows a list on p. 7.


----
rich" }-

Hi Rich,

That was interesting reading and page 7 listed some important things. But they all involved things they GFI is selling; namely, gateway protection services. I wonder how much can really be done at the gateway without education and use of products at the end-user level. I agree with you about SRP - and even Faronics whitelisting Anti-Executable (http://www.faronics.com/html/antiexec.asp) and other like solutions.

Trojan proliferation is a growing problem, but I question the abilities of gateway services to handle it. There is a trade-off between security and ease-of-use for employees. An argument can be made that things that seem impractical today may be forced on us in the near future. Too much at risk. Agree? Disagree? It is all what my mom (God rest her soul) used to call a colossal conundrum.

I've always liked your intelligent and thoughtful posts, Rich. You're a valuable member here.

For the XP Home crowd. A link to add SRP to your system.

http://www.wilderssecurity.com/showthread.php?t=200772

-{ Quote: "I spoke yesterday with a System Administrator in a large company about some of these issues and current exploits, and he stated that it just wouldn't be practical to restrict the workstations in that way, or even to use a product like Deep Freeze." }-
It's not practical to expect the IT person/department to do their job? A company that allows that attitude from their IT people deserves what they get, compromised.
-{ Quote: "To effectively protect your network against trojans, you must follow a multi-level security strategy:" }-
Setting up and maintaining multiple security layers is preferable to dealing with the layer that is the problem, the users work stations? This is beginning to look like maintaining job security by refusing to fix the problem so they'll always have work to do.

-{ Quote: "How would you prevent malicious updates via PXE ROMs network funcionality?" }-Unplug ethernet?

Here is a current attack:

Executives at a Swedish Company Targeted via an Email Attachment
http://isc.sans.org/diary.html?storyid=5662

-{ Quote: " The company's high-ranking executives received an email message with an attached executable file named "market.xls .exe"" }-Note the double extension trick. If Windows is configured to hide known file types, the .exe extension would not show. Also, if I had Excel installed, the Excel icon would display:

205392

Actually, an attached executable file should never get through a mail server. They are deleted by mine automatically, unless zipped.

205395

Also, you wonder if the person would stop and think whether or not she/he had recently sent an XLS file by email to the recipient.

If company personnel are tricked into opening this file, the only sure protection would be if the workstations were configured
so that users could not run unauthorized executables.

-{ Quote: " Steven Adair identified the executable as a variant of the Poison Ivy trojan that acts as a backdoor and lets the attacker fully control the infected system." }-

205391205393205390

[credit: scribd.com white paper]


----
rich

I use common sense, NAV, Windows Firewall, a reputable e-mail client, a hardware firewall and a dynamic IP to stealth myself from hackers.

If I am hacked, I would just reformat and change my IP through my ISP.